Check for usages of
- Ensure all user input is properly escaped.
Ensure any input in
$].prependTo`is escaped. Instead use$.text`, or don’t use jQuery at all.
- Check for usages of
- Ensure all APIs are running inside the Kibana HTTP service.
Ensure no usages of
- Ensure no usages of dynamic requires
- Check for template injection
Check for usages of templating libraries, including
_.template, and ensure that user provided input isn’t influencing the template and is only used as data for rendering the template.
- Check for possible prototype pollution.
- Ensure no usages of
Check for instances of
anObject[a][b] = cwhere a, b, and c are user defined. This includes code paths where the following logical code steps could be performed in separate files by completely different operations, or recursively using dynamic operations.
Validate any user input, including API
url-parameters/query-parameters/payloads, preferable against a schema
which only allows specific keys/values. At a very minimum, black-list
prototype.constructorfor use within keys
When calling APIs which spawn new processes or potentially perform code generation from strings, defensively protect against Prototype Pollution by checking
Object.hasOwnPropertyif the arguments to the APIs originate from an Object. An example is the Code app’s spawnProcess.
Common Node.js offenders:
Common Client-side offenders:
setTimeout('some string', num),
setInterval('some string', num)
- Common Node.js offenders:
- Check for instances of
Check for accidental reveal of sensitive information
- The biggest culprit is errors which contain stack traces or other sensitive information which end up in the HTTP Response
Checked for Mishandled API requests
- Ensure no sensitive cookies are forwarded to external resources.
Ensure that all user controllable variables that are used in
constructing a URL are escaped properly. This is relevant when using
transport.requestwith the Elasticsearch client as no automatic escaping is performed.
- When there are user controllable links or hard-coded links to third-party domains that specify target="_blank" or target="_window", the a tag should have the rel="noreferrer noopener" attribute specified. Allowing users to input markdown is a common culprit, a custom link renderer should be used
- SSRF - https://www.owasp.org/index.php/Server_Side_Request_Forgery All network requests made from the Kibana server should use an explicit configuration or white-list specified in the kibana.yml